Top 6 steps for GDPR compliance

Effective 25 May, 2018, the European Union's General Data Protection Regulation, commonly called GDPR, will become not only the law of the land in Europe but across the globe. If you do business anywhere in the world and collect personally identifiable information (PII) on an EU citizen, you will be subject to GDPR regulations. Remember that GDPR is a privacy regulation, not a data security regulation, but the former certainly impacts the latter. Here are the Top 6 steps you need to take in order to become GDPR compliant. It is important to note that many information security and privacy experts disagree on the order of the steps, but in general they agree that these are the most important steps to put in place as soon as possible.

1. Update your public-facing privacy policy. Your privacy policy is likely to be the first formal document a regulator will view. If your privacy policy is out of compliance, the assumption of the regulator might well be so are other privacy components. It is an invitation to further scrutiny by EU regulators.

2. Know where your data is. GDPR is all about managing PII of EU citizens. It is essential to know exactly what data you have, where you have it, how it is protected, and how to access it. If you cannot access PII, you likely would be subject to a fine. Data flow mapping is a huge task but essential under GDPR. Incidentally, if you use a customer relationship management (CRM) application, do disk drive backups or process various types of data analytics, there could be a lot of hidden PII there as well. Some experts believe that it is impossible to develop a comprehensive privacy policy until data flow mapping is in place.

3. Put privacy protection policies in placeand follow them. In the EU, corporate intent often overrides the letter of the law. If your company has policies and procedures in place for protecting PII and a breach occurs, regulators likely will be more understanding if a company tries to do the right thing and follows its policies and procedures. Unlike US regulations such as PCI DSS where companies need to follow the letter of the regulation, the EU views trying to do the right thing as critical to the process and sometimes more important than actually following the letter of the law if the former approach protects PII more effectively.

4. Hire a data protection officer. Actually, not every company needs a data protection officer (DPO). The local coffee kiosk likely would be exempt, but if your company has a web site that collects analytics, sells to EU citizens or EU companies or collects demographic data on EU citizens for any purpose, you definitely need to be GDPR compliant and have a DPO. That said, whom you name as a DPO — an existing employee, a new employee, a third party — opens an entirely new can of worms and has its own multiple levels of considerations.

5. Convert your data collection processes to opt in. In the US, most companies offer an opt out option to individuals and companies when it comes to collecting and using personal data. In the US, if you don't want to be in a mailing list, you need to tell the list owner and opt out, for example. The EU requires explicit opt in consent from the person whose data is being collected. In addition, the popular Terms of Service (ToS) document used by US-based companies that include opting in as part of an unrelated approvals is not acceptable to EU regulators. According to the EU, it is not consent if the person has no other options other than to approve a long ToS document.

6. Delete what you do not need. Many US companies have a policy of collecting as much data as possible about their customers, even if they do not necessarily know how to use the data at the moment. This policy is not consistent with GDPR. If you do have data on an EU citizen, be prepared to request permission from the individual for you to keep the data. EU citizens have a legal right to ask you to produce on demand any data you have on the person and for you to delete data at their request. Here is a simple recommendation: If your company has data on EU citizens that the company does not require for business purposes, delete it now. If you do not have the data, it cannot be compromised in a breach and you do not have to produce it on demand.